July 14, 2017 – Recently announced authoritative but non-binding patient data sharing guidance could potentially aid behavioral healthcare providers in safely sharing substance use disorder and mental health patient records.
The California Office of Health Information Integrity (CalOHII) said its State Health Information Guidance (SHIG) will help providers know when and where patient records can be exchanged between providers.
Executive Director of San Diego Health Connect Daniel Chavez explained in a statement that the guidance was timely and would help further push forward health information exchange.
“The guidance comprehensively addresses concerns and barriers regarding what can be shared and under what circumstances, while protecting patient privacy,” Chavez said.
Executive Director of the California Association of Health Information Exchanges Robert Cothren echoed the same sentiment, adding that regulatory uncertainty has prevented organizations from sharing patient information.
“Sharing mental health and substance use disorder information is a critical component of the complete picture of an individual’s health,” Cothren stated.
The California Health and Human Services (CHHS) website explains that SHIG is applicable to the following groups:
- Physical health care providers
- Mental health care providers
- Substance use disorder providers
- Emergency service providers
- Caregivers and care coordinators
- Social services
- Law enforcement
“The SHIG grew out of comprehensive research, drawing from a broad group of stakeholders that reflect cross-industry insights and experience, to get a clear understanding of the problems different groups were facing in the field,” the website states. “The result of the research is the SHIG, a guidance containing 22 scenarios derived from real user stories, which clarify how laws apply to actual situations that arise for care providers.”
CalOHII added that organizations and corporations can attend a webinar on July 25, 2017 to learn more about how the SHIG can be applied and properly utilized. Talking points, as well as an outline for discussions, talks, and articles are also available for download from the CHHS website.
Under HIPAA regulations, mental health information privacy and security should also be a top priority for covered entities and business associates.
The Privacy Rule also states that there are certain circumstances where sensitive data “may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others.”
“In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care,” HHS says on its website.
ONC has also been working to ensure that both patients and providers understand how patient data can be securely shared and in adherence with HIPAA regulations.
Toward the end of 2016 ONC released a fact sheet in conjunction with OCR, explaining that individuals might not utilize electronic health record data because of confusion around HIPAA.
HIPAA rules are meant to protect patients from improper data disclosures, but they also exist to ensure data can flow to support public health activities, according to then-ONC Chief Privacy Officer Lucia Savage and CDC Director of the Public Health Law Program, Office for State, Tribal, Local and Territorial Support Matthew Penn.
“ONC has highlighted the many circumstances in which HIPAA supports electronic exchange of PHI for treatment and specific kinds of health care operations,” Savage and Penn wrote in a blog post. “The new fact sheet provides examples about how HIPAA supports the electronic exchange of information, including contagious disease tracking, provider participation in cancer registries, and monitoring the health of children who have experienced lead poisoning.”
One scenario reviewed by ONC and OCR explained how data exchange may be subject to Food and Drug Administration (FDA) jurisdiction, as medical devices are subject to FDA jurisdiction.
ONC and OCR theoretically said that there was a recall of the fictional HeartWare2.0. The device was implanted in 35 patients before it was recalled. In this scenario, certain PHI (i.e. patient contact information and other health information about the affected patients) may be disclosed to the FDA.
The doctor must disclose only the information she deems necessary to support the recall, the agencies added. Additionally, the doctor may also seek the manufacturer’s input in making that decision, but it is not required.